Skip to content

Commit

Permalink
Add a warning when we see a <2048 bit key on the endpoint; include th…
Browse files Browse the repository at this point in the history 
…e certificate expiry time.
  • Loading branch information
@iay
iay committed Feb 5, 2013
1 parent 420138d commit 7cf70d6
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 0 deletions.
26 changes: 26 additions & 0 deletions build/probe_nk_certs.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,28 @@ sub comment {
$subject = $1;
}

#
# Extract the public key size. This is displayed differently
# in different versions of OpenSSL.
#
if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
}

if (/Not After : (.*)$/) {
$notAfter = $1;
$notAfterTime = str2time($notAfter);
Expand All @@ -122,6 +144,10 @@ sub comment {

}

if ($pubSize < 2048) {
warning("short public key: $pubSize bits, certificate expires $notAfter");
}

if ($subject eq $issuer) {
$issuer = "(self-signed certificate)";
}
Expand Down
26 changes: 26 additions & 0 deletions build/probe_nk_nocerts.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,28 @@ sub comment {
$subject = $1;
}

#
# Extract the public key size. This is displayed differently
# in different versions of OpenSSL.
#
if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
$pubSize = $1;
$pubSizeCount{$pubSize}++;
# print " Public key size: $pubSize\n";
if ($pubSize < 1024) {
error('PUBLIC KEY TOO SHORT');
}
next;
}

if (/Not After : (.*)$/) {
$notAfter = $1;
$notAfterTime = str2time($notAfter);
Expand All @@ -128,6 +150,10 @@ sub comment {

}

if ($pubSize < 2048) {
warning("short public key: $pubSize bits, certificate expires $notAfter");
}

if ($subject eq $issuer) {
$issuer = "(self-signed certificate)";
}
Expand Down

0 comments on commit 7cf70d6

Please sign in to comment.